Today’s cyber landscape is littered with hackers trying to evade detection and defenders trying to improve detection. One aspect of this cyber landscape is the hardware devices that attackers plug into computer systems to gain access and perform malicious acts. In doing so, defenders build upon detection to find indicators of compromise in order to respond to this type of attack.

Target’s Cyber Fusion Center has an innovative perspective on how to detect when hackers use malicious hardware. Amperage (power usage) is the key to detecting the hardware hackers use to bypass current security measures. This new method can help identify and reduce hackers gaining access to computer systems.

We extended detection capabilities from logic-based detection to a more immutable detection technique based on the physical characteristics of a device. The basis is to apply statistical analysis of the power usage of a device, either real or negotiated, relative to the type of device reported to the operating system. This can be applied to all major operating systems, but Windows 7 and 10 are the operating systems we focused on due to large desktop market share. We can show the capabilities by using Hak5’s Bash Bunny as an example.

Technical Details

The first part of using this detection is to understand where to find it on the system. The Bash Bunny has multiple modes, one of which is HID Keyboard mode. On Microsoft Windows 7 and 10, we found it provides amperage negotiated from devices through the Device Manager, in the “Power” tab of the device in Windows 7. In Windows 10, it’s in the Generic USB Hubs “Power” tab of the device plugged in.

The second part is to understand what a standard keyboard’s power usage is in milliamps (mA). By using Microsoft’s USBView, we can see the negotiated power for most keyboards is going to range from 50 mA to 100 mA to 500 mA. Repeating this same activity for Bash Bunny in HID Keyboard mode, we found that its negotiated power is 2 mA. This value is significantly less, and as an outlier, it is a useful indicator for detection. This mode of Power Detection works by cross-referencing two reported pieces of information to examine potential outliers:

Visual

  • Constant 1 - The type of device
  • Constant 2 - The normal range of used/negotiated amperage for those devices
  • Outlier - The suspicious device masquerading as Constant 1 outside the range of Constant 2 in mA

The outlier is found through statistical analysis of both constants referenced against each other and compared to a large dataset.

Detection

Currently, there is no available user-friendly method to extract a device’s negotiated power. Methods to acquire this information via Windows Management Instrumentation (WMI) were unsuccessful, and as a result, it appears that Windows API calls must be used to acquire this information.

Microsoft provided code in the Windows Driver Development Kit (DDK) to build sample applications that make use of the necessary Windows API calls for querying USB controller, hub and device configurations. The specific tool is Microsoft’s USBView, which provides a GUI interface displaying full USB configuration details. This codebase was the basis for building CLI tooling that extracts USB MaxPower details for all actively attached USB devices.

Although this C/C++ CLI tool is functional, work is underway to re-implement the code as C# to be directly embedded in a PowerShell script for portability.

Conclusion

Baselining the power consumption of suspicious devices and comparing them with the devices they masquerade as could prove rewarding for detection. Once the script or application for detecting this is fine tuned and portable it can be ported over to most major detection engines. Additionally, this type of detection is applicable to many devices and operating systems.

Researchers